It’s no secret that Latin America has suffered its fair share of cyberattacks, but the extent of the damage might be worse than many have imagined. In a 2018 study of cybercrime by the Organization of American States (OAS), 92% of banks in the study reported some kind of digital security event and more than 1 in 3 banks reported falling victim to at least one successful attack.
The OAS report uses two kinds of data: on the behavior of banks, and on a sample of their customers. Regarding the banks, there are 3 top level results to frame the more detailed data:
- Cyber-attacks are ubiquitous. 92% of banks in the study reported some kind of digital security event, including both successful and unsuccessful attacks (65% of large banks reported successful attacks). If you are a banker, you’ve been hacked.
- Most banks, by a narrow margin, do NOT use advanced detection tools and controls based on big data or artificial intelligence. This problem is more severe for smaller banks, of course, but it exists across the system.
- Cyber-attacks work, and they are costly. The average cost of an attack in Latin America was US $1.9 million, with a region-wide loss in 2017 of US $809 million.
From the customer/users’ point of view, digital services are desirable and widely utilized. This is reflected in the fact that customers are increasingly using the super-convenient smartphone as a banking platform.
- A large majority of customers, 88%, use one or more digital service, and the percentages of various services are increasing. Of those who did not, 59% cited distrust of the digital environment as the reason.
- Customers are the weaker link in the chain. Though most of them understand the general threat and some of the methods of cyber-attacks, they do not use sophisticated methods to thwart them.
- 27% of customers had suffered some kind of attack, with 47% of these reporting a financial loss. About 70% of these were fully or partially compensated (at a loss to the bank or insurer). People who were attacked also reported reduced affect for the banks (reputational loss).
- Incident reporting was very low. Customers reported that their banks did not have visible reporting mechanisms, and few reported losses to the authorities.
From the detailed OAS report, a few lessons emerge. First, the digital security risks that warrant the most attention from banking entities are theft of a critical database; compromise of privileged user credentials; and data loss.
Second, defensive systems used by both the financial institution and its customers are probably behind the curve. Hackers on the other hand, are persistent and aggressive. Banks need to step up their efforts to adopt advanced controls and invest continuously in these tools. Banks might also improve efforts to educate customers and install security requirements that help to insulate the system from mistakes of relatively unsophisticated users.
Finally, both banks and customers are committed to the digital future. Customers report that even knowing the threats of digital services, they will not stop using them. Banks continue to adopt ever more digital services to satisfy customers and lower costs. So, the prize for fraudsters and criminals will remain.
Cyber criminals will not miss seeing the opportunity. The question is, how will banks respond?